Computer Crime Research Center

Phishing and pharming dangers

There’s a new breed on the Net — the cyber window shopper. Shopping online offers lots of benefits that you won’t find shopping in a store or by mail. The Internet is always open — seven days a week, 24 hours a day — and it’s crawling with super bargains.

The success of e-commerce in the country can be easily gauged from the fact that the 28-million-strong online population contributes to Rs 570 crore of transactions. It is estimated that a fourfold growth in the online population in the next two years will result in a 300 per cent growth in e-commerce, taking revenue from online transactions to Rs 2,300 crore.

For the consumer, shopping online means speed, convenience and savings. For the retailer, the Internet offers a bigger audience and reduced infrastructure costs, which can be passed on to the consumer.

Netizens between 18 and 25 years form the largest segment of window shoppers on the Net. They are mostly young professionals.

However, it is interesting to note that while 45 per cent of these people surfed the Net for information, price and availability of products to make informed decisions, 55 per cent had made an online transaction at least once.

The biggest worry is credit card misuse or the fear of allowing unauthorised access to bank accounts in case of debit cards. Being flooded with spam also worries an online member.

“The most common fear among shoppers is that their financial information will be misused, which is not totally unjustified,” says Pavan Duggal, advocate, Supreme Court of India and cyber law expert.

Agrees Preeti Desai, president, Internet and Mobile Association of India (IAMA), “There are a lot of fears associated with using a credit or debit card online. Consumers feel they are not protected on the Net and are liable to pay once online. The fear of fraud is also another major impediment.”

Let’s take a look at some of the frauds that can happen online.

Phishing is the type of online attack, whereby scammers copy the ‘look and feel’ of a reputed establishment’s website as accurately as possible, building a replica site as a bait to reel in the targeted company’s customers.

One has to recognise this con job. Little details may be changed — like the missing ‘i’ in http://www.citbank.com shown on your address bar.

A more sophisticated version involves redirecting victims through a masked address with some cleverly concealed coding to redirect traffic from a genuine link. For example, one might use http://www.citibank.com, which is the genuine Citibank site.

But the information can be actually redirected to another site by using the ‘mask’. For example, http://www.citibank.com/track/ dyredir.jsp?rDirl= http://300.651.250.10/ will redirect you to an entirely different site, which looks exactly the same as the original.

In such cases, the name displayed on your address bar is indeed genuine, and you’d have to explore the entire link to realise that it’s a fraud. How often will you take this trouble?

Internet users who are unaware of phishing often just follow the instructions they see onscreen, and get into a serious financial mess. Other than this, there are innumerable cases of bogus online charities. The modus operandi is almost the same — just click on the link provided to make an online donation that will never reach the orphaned kid or tsunami victim it was intended for. You, on the other hand, have not only given the frauds money, but have also offered your credit card details.

An even more sophisticated and difficult-to-detect online fraud is pharming, which involves hijacking the targeted site altogether. In a typical case of pharming, either the victim’s system or the DNS server may be compromised to redirect traffic to a malicious site. Through ‘DNS poisoning’ or ‘URL hijacking’ even correctly entered URLs can be diverted to a malicious site somewhere else in an attempt to extract sensitive personal data.

Other scams that play on the Internet user’s greed include those related to online lotteries that require you to furnish your personal details in order to claim a prize you’ll never receive, online auctions, and postal forwarding/redirecting frauds.

“Despite such instances of cyber frauds, one must not forget that online crimes can also be committed by securing financial information offline," cautions Duggal.

For example, in 2003, Arif Azim, a call centre employee, was convicted for stealing and misusing a credit card number by smooth talking and convincing a bank customer, Barbara Campa, to reveal her credit card number and other details on the pretext of correcting her billing records.

Furthermore, one should abstain from shopping pornographic and obscene material from the Internet as under the Information Technology Act, 2000, such actions have been made punishable with five years imprisonment and Rs 1 lakh fine, says Duggal.

Precaution is still the best cure, advises Duggal. “So be on your alert and trust your instincts while transacting online,” he adds.

What if you are hit?

If you notice a transaction on your credit card not authorised by you, immediately call the company and reverse the transaction, urges Desai.

“In a scenario, where your request is denied by the company, you should report the matter to the deputy superintendent of police, as under the IT act, no officer below such a designation is authorised to handle a cyber crime,” clarifies Duggal.
Original article